Rapid7 Blog

Meterpreter Pivoting, Web Scanning, Wireless, and More!

POST STATS:

SHARE

Last week we released Metasploit 3.3.2 following on the heels of Metasploit 3.3.1. This release marked a major change to how the Meterpreter backend processed commands; instead of running each request serially, the Meterpreter now spawns a background thread for each request. This allows for multiple scripts to access the same Meterpreter instance at the same time and vastly improves the pivoting functionality. Version 3.3.2 also added support for a standards-compliant XMLRPC server, enhanced the NeXpose Plugin, updated the Oracle mixins, cleaned up the database backend, and fixed 45 bugs. Rapid7 also released an update for NeXpose Community Edition that provides PDF and HTML reporting and adds vulnerability checks for the past Microsoft Tuesday.

We plan to release version 3.3.3 before the end of the year, with a focus on exploit ranking, improving the WMAP web scanner, and expanding our WiFi functionality through Lorcon2.

For those unfamiliar with WMAP, think of it as a web app scanner that has been deconstructed into individual tests. Every security test performed by WMAP can be executed as part of an automated scan or manually as an auxiliary module. Data from one type of scanner module can be fed into another type, which in turn gathers even more data, and so on. The slick part is that these modules have access to the entire Metasploit API, including exploits, payloads, and protocol stacks. It is completely possible to write a WMAP analysis module that leverages information from a web application to compromise another system (using leaked MSSQL credentials, etc). Recent (post 3.3.2) updates to WMAP included a massively expanded directory scanner (based on metasploit.com's own web logs) and updates to the underlying database schema.

On the wireless front, Metasploit has had hostile AP and wireless driver (ring-0) exploits for many years, but until recently we had no way to watch WiFi traffic and interact with a specific device. With the introduction of Lorcon2 support in Metasploit 3.3, we can now port nearly any WiFi tool to a Metasploit module. Mike Kershaw has demonstrated this by porting airpwn and dnspwn to Metasploit, providing great examples of how to use the new API.

As always, the best way to follow development is to watch the activity log from the Metasploit tracker. The last few months have been a whirlwind of development, but the really fun stuff is yet to come :)